Описание
Security update for nodejs8
This update for nodejs8 fixes the following issues:
- update to npm 6.14.13
- CVE-2021-27290: Fixed ssri Regular Expression Denial of Service. (bsc#1187976)
- CVE-2021-23362: Fixed hosted-git-info Regular Expression Denial of Service (bsc#1187977)
- CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620)
Список пакетов
SUSE Enterprise Storage 6
SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
SUSE Linux Enterprise High Performance Computing 15-ESPOS
SUSE Linux Enterprise High Performance Computing 15-LTSS
SUSE Linux Enterprise Module for Web and Scripting 15 SP2
SUSE Linux Enterprise Server 15 SP1-BCL
SUSE Linux Enterprise Server 15 SP1-LTSS
SUSE Linux Enterprise Server 15-LTSS
SUSE Linux Enterprise Server for SAP Applications 15
SUSE Linux Enterprise Server for SAP Applications 15 SP1
SUSE Manager Proxy 4.0
SUSE Manager Retail Branch Server 4.0
SUSE Manager Server 4.0
Ссылки
- Link for SUSE-SU-2021:2620-1
- E-Mail link for SUSE-SU-2021:2620-1
- SUSE Security Ratings
- SUSE Bug 1182620
- SUSE Bug 1184450
- SUSE Bug 1187976
- SUSE Bug 1187977
- SUSE CVE CVE-2020-7774 page
- SUSE CVE CVE-2021-22884 page
- SUSE CVE CVE-2021-23362 page
- SUSE CVE CVE-2021-27290 page
Описание
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Затронутые продукты
Ссылки
- CVE-2020-7774
- SUSE Bug 1184450
Описание
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes "localhost6". When "localhost6" is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the "localhost6" domain. As long as the attacker uses the "localhost6" domain, they can still apply the attack described in CVE-2018-7160.
Затронутые продукты
Ссылки
- CVE-2021-22884
- SUSE Bug 1182620
- SUSE Bug 1188549
- SUSE Bug 1201328
Описание
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Затронутые продукты
Ссылки
- CVE-2021-23362
- SUSE Bug 1187977
Описание
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Затронутые продукты
Ссылки
- CVE-2021-27290
- SUSE Bug 1187976